One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 6768417 |
| Date de publication | 2022-09-07 15:00:00 (vue: 2022-09-07 15:06:50) |
| Titre | Anomali Cyber Watch: EvilProxy Defeats Second Factor, Ragnar Locker Ransomware Hits Critical Infrastructure, Montenegro Blames Russia for Massive Cyberattack, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Critical infrastructure, Crypto mining, Delayed execution, Phishing, Ransomware, Reverse proxy, Russia, and Steganography. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web
(published: September 5, 2022)
Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others.
Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain
Ragnar Locker Ransomware Targeting the Energy Sector
(published: September 1, 2022)
Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind.
Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste |
| Envoyé | Oui |
| Condensat | 150 2019 2022 2fa abilities able abuse access according accounts active activity actor acts actual additionally addresses affected affecting after against agency agent aggressive alert alerts: alleged allow almost already always amazon amsi amsiscanbuffer analyst analytic analyzed anomali anti antimalware antivirus antiviruses app appears apple application applications appropriate apps archived are artifacts ask asks associated att&ck att&ck: attached attachments attack attacker attackers attacking attacks attempts attention attributed august authentication automation autostart avatar avoid aware away backup base64 based basic been before behind being between bigger blames blocked bloggers boot bot botnet brands browser bulgarian business but bypass campaign campaigns can capabilities case caused cef cells center certificate certutil chain chances channel charts check checks chromium cis cisco claimed cleanup clicking cloud code codes collection comes command comment: commodity commonwealth communication companies company complex comprehensive compromise configuration containing content continuity controlled convert cookie copies copyright countries country:gr country:me country:ru country:tr creating creation creators credentials critical crypto cryptocurrency cryptominers cuba customer cyber cyberattack cyberattacks cybereason dangerous dark data days dcrat ddos defeats defenders defenses delayed deleting deliver delivered delivering delivers delivery denial deobfuscate/decode deploy desfa desktop despite detect detected detection:go detection:win detects did different directorate disclose discovery discuss discussed disguised dmca dns document domains double download downloads dozen drive dropbox droppers dubbed early eastern email emails embedded emerged enable enables encoded encoding encrypted encrypting ends energy engineering engines europe evasion even evilproxy exact exception executable executed executing execution exfiltration experiencing experimenting exploit exploitation extensive extortion facebook factor fake false far fbi fear fears featuring figure file files final financial financially fingerprint fingerprinting fingers first follow following forensics four framework from function functional geopolitical geopolitics github glimpse go#webbfuscator gobfuscation godaddy golang google government grammar greece greek group groups grow guardian hacktivists hammond has have heavily help hidden high hijacking his/her historic hits host hta html hungarian identifying images impact impair implant important incidents included including inconsistencies increase increases independent indicator indicators infect infected infecting infection info information infrastructure ingress inhibit injection instagram install installed institutions intelligence interface interpreter interruptions investigate investigated investigating involved involvement ioc iocs iteration its james john jpg june key kit known large later layer leading leads leak least legitimate leverages list listed location locker logon logs long loosely machine macros magazine major maldoc malicious malware management march masquerading massive match may memory mentions methods mfa microsoft mind miner mining mitre mobile modern modernloader modify modules monitor montenegro month more motivated multiple music name national nature need net network new news nitrokod not notice noticeable notices notification npmjs number obfuscated obfuscation occurrences office official officials often once online only open opening organizations other others over overall owner/user page parliamentary part particular passes password past patching pay payload pdf people period phase phishing pipeline place plan platform point polish poor potential powershell predefined prevent process processes program protection protocol provide providing proxy published: ragnar ransomware rare rats rc4 reaching reading recognize recovery redirection redline region:eastern registry related relevant reliance remain remote removal removed removing report requests research researcher |
| Tags | Ransomware Malware Tool Threat Patching Guideline |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.